Responding to Corporate Critics of Aaron's Law, the New CFAA Reform Bill

After years of unnecessary expansion, the Computer Fraud and Abuse Act (CFAA) may soon get some much-needed reform. Senator Wyden, along with Representatives Lofgren and Sensenbrenner, recently introduced Aaron's Law, which offers modest, common-sense changes to the draconian anti-hacking law and brings the statute in-line with recent court rulings limiting its scope.

Though it doesn’t go as far as we would like, Aaron's law, named after the late Internet activist and pioneer Aaron Swartz, draws from EFF's own proposal by adapting the statute to reflect modern times and protect innovation. The bill lowers some of the penalties for crimes that produce little or no harm, deletes a provision that is repeated elsewhere in the statute, and clarifies once and for all that violating terms of service agreements is not a crime.

Unfortunately, despite widespread agreement between all sides that the that the CFAA is both outdated and overboard, many corporate representatives are now claiming that fixing the CFAA will hinder companies from going after “insider threats” or employees who take allegedly confidential company information. For example, in an article arguing that Aaron's Law will "eliminate the use of the CFAA," former Justice Department attorney Jason Weinstein wrote the new bill “would make it effectively impossible to use the CFAA to prosecute, or to bring civil suits based on, insider thefts of intellectual property or other proprietary business information.”

Weinstein’s complaints about Aaron's Law recycle the same old strawman argument: the CFAA is needed to stop employees from taking trade secrets. Companies can use a variety of existing statues, like trade secret, anti-fraud, or economic espionage laws to go after these “insider threats.” And of course even for non-trade secrets, copyright law applies, both civil and criminal. All of these laws have the same or tougher penalties as the CFAA as currently written.

Civil actions are yet another way for companies to tackle trade secrets or intellectual property theft. Even without the CFAA and without trade secrets laws, Companies can resort to civil actions like breach of contract or tortious interference with in either federal or state court. The actions provide them with the threat of bankruptcy for disloyal insiders and possibly even some financial recuperation, on par with what they would receive through a criminal case.

In case companies are worried about what laws they can use to alleviate these problems, we’ve created a handy chart which shows all the ways these types of actions are still illegal.

Unfortunately, it’s not just Weinstein who has made these misleading arguments. In another post, the Software and Information Industry Association (SIIA) states that the CFAA is effective at "protect[ing] billions of dollars of research and development." Unfortunately, SIIA forgets that those actions are not only covered by some of the above laws, but are covered by many other laws as well. Again we refer SIIA to our chart.

Regardless of the myriad other laws that companies can use to go after this type of behavior, it’s important to remember why this particular provision is being fixed in the first place: the “exceeds authorized access” language in the CFAA goes far beyond the insider threat scenario and creates criminal liability for routine, innocent Internet behavior for the millions of Americans who use the Internet everyday.

In fact, even Weinstein admits the statute is written "broadly enough to cover innocuous online activity." It’s not in dispute that the Justice Department still considers Internet terms of service and employee terms of use violations a criminal act. It’s even in official Justice Department policy guidelines. We've warned the dangers of this interpretation again and again, yet some corporate representatives are willing to let the general public continue to risk being called criminal for lying on Craigslist in order to ensure their easy ability have the cops throw disloyal employees in jail rather than merely firing them or bankrupting them with a lawsuit.

And even with these modest changes, the CFAA still has plenty of teeth. For instance, it severely punishes criminalizes malware injections, distributed denial of service attacks, and theft of login information.

We understand ambiguity about employee “authorized” access is a major headache at companies. But Aaron's law will actually help clarify what is, and is not, authorized by finally defining a key term in the bill. But that’s not why Aaron’s law is important. It’s important, and long overdue because Aaron’s Law stops the Justice Department from using current ambiguities in the law to threatens citizens with serious prosecutions involving felony prison time for common behavior, while still leaving many tools for companies to go after legitimate bad actors. Tell Congress now to reform the CFAA.